Firewall INPUT filters

Revision as of 12:45, 18 November 2014 by WikiFreak (talk | contribs) (ElasticSearch)


INPUT view

Input filters


Basic inputs

You can find the basics INPUT rules over here: Firewall core (main) protocols


Security services

SSH

# SSH - max 3 connection request per minute
$IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT


LDAP

$IPTABLES -A INPUT -p tcp -i eth0 -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -i eth0 -m state --state NEW --dport 636 -j ACCEPT # LDAPS


Web services

Recommendation: you should only open HTTP and HTTPS (TCP 80 +443) + use some proxy redirections. see: Sonar#Apache2 proxy


HTTP web server

You have to open the following ports:

  • Port 80 = HTTP
  • Port 443 = HTTPS
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT


Application servers (HTTP alt.)

You have to open the following ports:

$IPTABLES -A INPUT -p tcp --dport 8080 -j ACCEPT    # HTTP alt.
$IPTABLES -A INPUT -p tcp --dport 8443 -j ACCEPT    # HTTPS alt.


Sometimes you can also use:

# JBoss wildfly 
$IPTABLES -A INPUT -p tcp --dport 9990 -j ACCEPT   # Wildfly administration
# Glassfish
$IPTABLES -A INPUT -p tcp --dport 4848 -j ACCEPT   # Glassfish4 administration manager
$IPTABLES -A INPUT -p tcp --dport 1527 -j ACCEPT   # Glassfish4 security manager
$IPTABLES -A INPUT -p tcp --dport 7676 -j ACCEPT   # Open MQ (bundled with Glassfish) - JMS broker


Sonar

You have to open the port 9000

$IPTABLES -A INPUT -p tcp --dport 9000 -j ACCEPT


Zabbix

You have to open the port 10051

$IPTABLES -A INPUT -p tcp --dport 10051 -j ACCEPT


ElasticSearch

You have to open the ports 9200 and 9300 + allow multicast

$IPTABLES -A INPUT -p tcp --dport 9200 -j ACCEPT    # HTTP
$IPTABLES -A INPUT -p tcp --dport 9300 -j ACCEPT    # Transport
$IPTABLES -A INPUT -p tcp --dport 54328 -j ACCEPT   # Multicasting


You must ensure multicasting is allowed:

## Allow multicasting
echo " ... Enable multicasting"
echo 1 > /proc/sys/net/ipv4/conf/all/mc_forwarding

Webmin

You have to open the port 10000 at last.

$IPTABLES -A INPUT -p tcp --dport 10000 -j ACCEPT   # Webmin services manager
$IPTABLES -A INPUT -p tcp --dport 20000 -j ACCEPT   # Webmin users management


Dashing

Dashing is a dashboard solution. It's very nice and handy to monitor your IT | applications. It's running on TCP 3030.

$IPTABLES -A INPUT -p tcp --dport 3030 -j ACCEPT



Development

Messaging

# Open MQ (bundled with Glassfish)
$IPTABLES -A INPUT -p tcp --dport 7676 -j ACCEPT    # JMS broker
	
# ActiveMQ server
$IPTABLES -A INPUT -p tcp --dport 8161 -j ACCEPT    # HTTP console
$IPTABLES -A INPUT -p tcp --dport 8162 -j ACCEPT    # HTTPS console
$IPTABLES -A INPUT -p tcp --dport 11099 -j ACCEPT   # JMX management
$IPTABLES -A INPUT -p tcp --dport 61616 -j ACCEPT   # JMS queues

# Rabbit MQ
$IPTABLES -A INPUT -p tcp --dport 15672 -j ACCEPT   # HTTP console
$IPTABLES -A INPUT -p tcp --dport 5672 -j ACCEPT    # AMPQ protocol


Source control

# SVN server
$IPTABLES -A INPUT -p tcp --dport 3690 -j ACCEPT
# GIT server
$IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT


Java

$IPTABLES -A INPUT -p tcp --dport 1099 -j ACCEPT      # JMX default JVM RMI port


Database

$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT      # MySQL



DHCP

This is how you enable a DHCP server with TFTP (netBoot) :

IPTABLES=`which iptables`
LAN_ADDRESS="172.16.50.0/24"

# Allow LAN communication
# ... Required for NFS and the NetBoot ...
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
 
########################
# INPUT filters
########################
 
##### DHCP client ######
# Broadcast IP request 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
# Send / reply to IPs requests
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
 
###### DHCP server ######
# Received client's requests [udp + tcp]
$IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT

# NetBoot - TFTP server
$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
 
 
########################
# OUTPUT filters
########################
# DHCP [udp + tcp]
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
 
# TFTP NetBoot 
$IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPT


Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!


Don't forget to adjust your network number 172.16.50.0/24


NFS

It's really tricky to adjust the firewall for NFS as the port is dynamic. But option is to allow LAN traffic and use NFS over LAN only.